<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Token-based authentication services | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'token-authentication-services.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/token-authentication-services.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/token-authentication-services.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/token-authentication-services.html" rel="nofollow" target="_blank">../en/token-authentication-services.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="setting-up-authentication.html">User authentication</a></span>
»
<span class="breadcrumb-node">Token-based authentication services</span>
</div>
<div class="navheader">
<span class="prev">
<a href="internal-users.html">« Internal users</a>
</span>
<span class="next">
<a href="realms.html">Realms »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="token-authentication-services"></a>Token-based authentication services<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/token-authentication-services.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>The Elastic Stack security features authenticate users by using realms and one or more token-based
authentication services. The token-based authentication services are used for
authentication and for the management of tokens. These tokens can be used as
credentials attached to requests that are sent to Elasticsearch. When Elasticsearch receives a request
that must be authenticated, it consults first the token-based authentication
services then the realm chain.</p>
<p>The security features provide the following built-in token-based authentication
services, which are listed in the order they are consulted:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<em>token-service</em>
</span>
</dt>
<dd>
<p>
The token service uses the <a class="xref" href="security-api-get-token.html" title="Get token API">get token API</a> to
generate access tokens and refresh tokens based on the OAuth2 specification.
The access token is a short-lived token. By default, it expires after 20 minutes
but it can be configured to last a maximum of 1 hour. It can be refreshed by
using a refresh token, which has a lifetime of 24 hours. The access token is a
bearer token. You can use it by sending a request with an <code class="literal">Authorization</code>
header with a value that has the prefix "Bearer " followed by the value of the
access token. For example:
</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl -H "Authorization: Bearer dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" http://localhost:9200/_cluster/health</pre>
</div>
</dd>
<dt>
<span class="term">
<em>api-key-service</em>
</span>
</dt>
<dd>
<p>
The API key service uses the
<a class="xref" href="security-api-create-api-key.html" title="Create API key API">create API key API</a> to generate API keys.
By default, the API keys do not expire. When you make a request to create API
keys, you can specify an expiration and permissions for the API key. The
permissions are limited by the authenticated user’s permissions. You can use the
API key by sending a request with an <code class="literal">Authorization</code> header with a value that
has the prefix "ApiKey " followed by the credentials. The credentials are the
base64 encoding of the API key ID and the API key joined by a colon. For example:
</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" http://localhost:9200/_cluster/health</pre>
</div>
</dd>
</dl>
</div>
<p>Depending on your use case, you may want to decide on the lifetime of the tokens
generated by these services. You can then use this information to decide which
service to use to generate and manage the tokens. Non-expiring API keys may seem
like the easy option but you must consider the security implications that come
with non-expiring keys. Both the <em>token-service</em> and <em>api-key-service</em> permit
you to invalidate the tokens. See
<a class="xref" href="security-api-invalidate-token.html" title="Invalidate token API">invalidate token API</a> and
<a class="xref" href="security-api-invalidate-api-key.html" title="Invalidate API key API">invalidate API key API</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="internal-users.html">« Internal users</a>
</span>
<span class="next">
<a href="realms.html">Realms »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>